Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The Changing Face of Carbanak

Carbanak has moved away from its exclusive focus on financial services, branching out to attacks against hospitality and retail.

Months of ramped up Carbanak activity that includes a new host of targets and new command and control strategy has reinvigorated attention on a criminal outfit that may have at one time stolen up to $1 billion from banks worldwide.

Carbanak has moved on from an almost exclusive focus on financial services and has been hitting a number of organizations in the hospitality, restaurant and retail markets, using a bevy of tools that would make a state-sponsored APT group envious.

But perhaps the most ingenious and effective shift is the group’s decision to run command-and-control from a number of Google’s cloud-based services such as Google Forms and Google Sheets. Traffic to and from compromised computers, which includes uploads of stolen payment card and other sensitive information and downloads of new commands and malware, is encrypted and obfuscated. Traffic to these services likely wouldn’t be blocked by an organization because it’s Google, and finding malicious traffic or stolen data presents a serious challenge, even to Google.

Google refused to comment on the scope of the challenge, or whether it has been able to shut down any of the command and control accounts.

“We’re constantly working to protect people from all forms of malware and other types of attacks. We’re aware of this particular issue and taking the appropriate actions,” a Google spokesperson told Threatpost.

Researchers at Trustwave and Forcepoint said they disclosed their findings in recently published research to Google.

In the meantime, Carbanak continues to carry out campaigns in North America and Europe, infiltrating enterprise networks, infecting servers, point-of-sale terminals and client workstations.

“They are very stubborn and very good,” said Trustwave global director of incident response and computer forensics Brian Hussey. “They’ve been doing it for years; it’s their profession. Their malware and capabilities are cutting edge. They don’t make dumb mistakes. They’re stealthy how they infiltrate victims, they’re good at lateral movement and leaving backdoors so that it’s easy to re-engage. It’s their professionalism really.”

Trustwave published a 45-page report on Wednesday about Carbanak activity that echoes some of what Forcepoint published earlier this week, in particular around the use of Google services for command and control. It diagrams some attacks, most of which start with spear phishing emails containing malicious Word documents as attachments. The attachments require users to enable macros in order to view the attached document and execute the attack. Attackers have gone so far as to place a phone call to the target and use social engineering in an attempt to get them to open and execute the malware tied to the attachment.

Once on a machine, the attackers are determined to move laterally until they land on a worthy machine; they do so using pass-the-hash attacks for privilege escalation with the aim of gaining domain or admin level access. They’ve also been able to buy legitimate digital certificates from Comodo that they’ve used to sign malware; the companies and individuals in Russia used to buy the certs are likely phony, Trustwave said.

“The Carbanak campaigns include full-service malware that does everything from escalating privileges to shutting down antivirus,” Hussey said. “They have the ability to target much more than payment card data. They can target R&D, personal information, anything in the environment. We know they are targeting payment data and getting away with a lot. The concern is they can go a lot further with the tools they have available.”

Trustwave says much of this activity is earmarked Carbanak, but the clincher was the use of the Anunak backdoor (signed with the Comodo cert), and VBScript land PowerShell script files capable of receiving commands or exfiltrating data.

Trustwave published hashes associated with the malicious files and IP addresses for the malicious hosts connecting with compromised computers.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.